2016-02-29 - ANGLER EK DATA DUMP
PCAPS AND MALWARE:
- ZIP archive of all the PCAPs: 2016-02-29-Angler-EK-data-dump-all-pcaps.zip 2.9 MB (2,911,471 bytes)
- ZIP archive of malware and artifacts: 2016-02-29-Angler-EK-data-dump-malware-and-artifacts.zip 2.1 MB (2,077,954 bytes)
NOTES:
- Saw another CVE-2016-0034 Silverlight exploit as reported earlier this month by Kafeine ( link ).
- Big thanks to Denis who identified traffic associated with the Sucuri blog post about the Pseudo Darkleech campaign.
DETAILS
DATE/TIME: 2016-02-29 15:01 UTC
- www.sushifaq.com - Compromised website
- www.sushifaq.com - GET /wp-includes/js/wp-emoji-release.min.js?ver=cc53e3ac3022aedee8df384198ff44fb [.js file with injected script]
- 178.62.92.47 port 80 - js.zolotceulya.info - Admedia gate
- 185.46.11.109 port 80 - brut.moood.me - Angler EK
- 192.185.39.66 port 80 - biocarbon.com.ec - POST /wp-content/uploads/bstr.php [TeslaCrypt callback]
DATE/TIME: 2016-02-29 20:12 UTC
- www.serenewoods.co.in - Compromised website
- 204.45.251.197 port 80 - dmorleygccasharpster.tontelephone.net - Angler EK
- 192.185.39.66 port 80 - biocarbon.com.ec - POST /wp-content/uploads/bstr.php [TeslaCrypt callback]
- 62.210.141.228 port 80 - imagescroll.com - POST /cgi-bin/Templates/bstr.php [TeslaCrypt callback]
DATE/TIME: 2016-02-29 20:54 UTC
- www.buro.net.au - Compromised website
- 204.45.251.197 port 80 - tynnyrilt.myerscompanies.com - Angler EK
- 62.210.141.228 port 80 - imagescroll.com - POST /cgi-bin/Templates/bstr.php [TeslaCrypt callback]
DATE/TIME: 2016-02-29 21:26 UTC
- www.ncakey.org - Compromised website
- 51.254.240.66 port 80 - mouwvegers.gothamplay.nyc - Angler EK
- 62.210.141.228 port 80 - imagescroll.com - POST /cgi-bin/Templates/bstr.php [TeslaCrypt callback]
EXPLOITS/MALWARE:
$ md5sum *.exe
- be6fe8b5fbd85b536396273313a3fbac 2016-02-29-Admedia-Angler-EK-payload-TeslaCrypt0-after-sushifaq.com.exe
- 1d50ab33a89ac28a500e09f2f7856bab 2016-02-29-Pseudo-Darkleech-Angler-EK-payload-TelsaCrypt-after-ncakey.org.exe
- c2c2d3a5f24e17a13bd8ba599be2fb7f 2016-02-29-Pseudo-Darkleech-Angler-EK-payload-TelsaCrypt-after-serenewoods.co.in.exe
- e44e90c06bfeda1b9245bc00d21f37af 2016-02-29-Pseudo-Darkleech-Angler-EK-payload-TeslaCrypt-after-buro.net.au.exe
$ md5sum *.swf
- 544884c1a956f39a5c198eaaf5503e80 2016-02-29-Admedia-Angler-EK-flash-exploit-after-sushifaq.com.swf
- c660cd298a1aab3feda3894ca86cac12 2016-02-29-Pseudo-Darkleech-Angler-EK-flash-exploit-after-buro.net.au.swf
- c660cd298a1aab3feda3894ca86cac12 2016-02-29-Pseudo-Darkleech-Angler-EK-flash-exploit-after-ncakey.org.swf
- c660cd298a1aab3feda3894ca86cac12 2016-02-29-Pseudo-Darkleech-Angler-EK-flash-exploit-after-serenewoods.co.in.swf
Silverlight exploit
- 1d9199d81006ddd7c250ec281f33a8dd 2016-02-29-Admedia-Angler-EK-silverlight-exploit-after-sushifaq.com.zip
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of all the PCAPs: 2016-02-29-Angler-EK-data-dump-all-pcaps.zip 2.9 MB (2,911,471 bytes)
- ZIP archive of malware and artifacts: 2016-02-29-Angler-EK-data-dump-malware-and-artifacts.zip 2.1 MB (2,077,954 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.